Date: Thu, 11 Aug 2016 11:30:37 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-current@freebsd.org Subject: Re: Passwordless accounts vi ports! Message-ID: <84687796-5113-152c-cf34-9f8e891c3ea2@rlwinm.de> In-Reply-To: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de> References: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/08/16 07:05, O. Hartmann wrote: > I just checked the security scanning outputs of FreeBSD and found this > surprising result: > > [...] > Checking for passwordless accounts: > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > [...] > > Obviously, some ports install accounts but do not secure them as there is an > empty password. Are you certain that the ports didn't use "*" as crypted hash which isn't a valid hash for any supported algorithm and prevents password based authentication for the account? FreeBSD also uses two passwd files (and compiles them into databases for fast lookups). The old /etc/passwd is world readable but contains no passwords and the real /etc/master.passwd which is only accessible by root. If you run `getent passwd` the missing password field is replaced with "*" which can confuse buggy scripts.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?84687796-5113-152c-cf34-9f8e891c3ea2>